*Edit: saw that you wanted to have pytivo serve up MRS. I can't saw for sure, but drawing an analogy to the original MRV introduced back in sw 4.0+, the reversing done there (which ultimately lead to the creation of "tivoserver") required hacked units (both for the reversing process as well as to use tivoserver to transfer shows), so that wouldn't bode well. That said, it would be quite snazzy to have pytivo allow MRS access to its videos.*

After streaming a video, you can simply pull the drives from the MRS client and server units to look through their logs to find the request URL to initiate the stream.

IIRC, the URL was just a suffix permutation of the MRV URLs, but I can't recall if the stream setup first required a mutual certificate authentication or not. Any such authentication (if present) plus the stream encryption means there's little that can be done, unless you have a way to crack those.

Last edited by puffdaddy; 01-14-2012 at 12:07 PM..
Reason: read original post more closely

Of course, on the extreme end of optimism, it's possible that implementing streaming will be as simple as adding "<StreamingPermission>Yes</StreamingPermission>" to the container XML.

Just tried that, after modifying your latest commit to add the tag, it's easy to see that pyTiVo is definitely sending the StreamingPermission tag in the right place (correctly CamelCased), but no change on the TiVo. I also noticed the TiVo sends some new stuff for QueryContainer:

So I also tried hacking the root template to send an extra Item with a 'x-tivo-container/tivo-videostream' ContentType and with the UniqueId set to the same as the Title, but still no change. Everything looks correctly formatted, and pytivo still functions without complaint fine for push and pull transfers.

Haven't had the time to play more than that.

__________________
Follow @pytivo on Twitter for project updates and more! To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. | To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. A Web app for Roku Remote Control

As is the norm for TiVo these days the entire MRS communication between TiVos is SSL encrypted, so packet sniffing MRS communication didn't yield anything useful for me (unlike MRV which did show useful info in the past).

The annoying thing for me right now is that I can't even get my Premiere to accept a transport-stream .TiVo file (from the same unit) via pyTivo. Same file via TiVo Desktop, no problem. I've got the TiVo to request the file from pyTivo, but as soon as the file starts to transfer, the TiVo drops the connection. I've copied (almost) all the TD behavior I can see by hitting it with a browser, and clearly it's not enough.

But, I digress.

__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

Not sure how one would MITM easily with both sides of the communications being TiVos. Guess you would have to set Gateway for both TiVo network setups to go through a computer implementing MITM instead of a router.

Will be interesting to see if 20.2 works any differently. With 20.2 I noticed that choosing secondary audio (SAP) from the Info screen for TV recordings now actually works. Also txporter recently discovered that mp4 with H.264 and multiple audio streams also allows you to switch audio streams. i.e. If you want to make a video that plays on a portable player that requires 2-channel AAC but also plays on a TiVo with the original 6-channel AC3 now it's possible to do so. (maybe that already worked before 14.9/20.2 but I'm not sure). It also looks like TiVo decoder actively looks for Dolby audio stream as first choice regardless if it's the 1st or 2nd audio stream.

The interesting thing about TS container with H.264 would be to eliminate the need for MOOV atom nonsense that mp4 container requires which would also open up possibility/option for pyTivo to transcode to H.264 instead of mpeg2.

Will be interesting to see if 20.2 works any differently. With 20.2 I noticed that choosing secondary audio (SAP) from the Info screen for TV recordings now actually works. Also txporter recently discovered that mp4 with H.264 and multiple audio streams also allows you to switch audio streams. i.e. If you want to make a video that plays on a portable player that requires 2-channel AAC but also plays on a TiVo with the original 6-channel AC3 now it's possible to do so. (maybe that already worked before 14.9/20.2 but I'm not sure). It also looks like TiVo decoder actively looks for Dolby audio stream as first choice regardless if it's the 1st or 2nd audio stream.

The interesting thing about TS container with H.264 would be to eliminate the need for MOOV atom nonsense that mp4 container requires which would also open up possibility/option for pyTivo to transcode to H.264 instead of mpeg2.

That's interesting about the multi-audio streams. Now I have to do some tests and see if I can come up with a handbrake or ffmpeg recipe that produces a file both the Roku and TiVo will accept and play.

If we get streaming enabled from pytivo, I'll be happy with mpeg2. It's faster/easier to encode when using general purpose cpus. I guess if I wanted to store content on the box, h.264 would still be preferable .

__________________
Follow @pytivo on Twitter for project updates and more! To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. | To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. A Web app for Roku Remote Control

My triumph was pitifully short-lived. 20.2 appears to throttle all connections, in and out, to around 20 Mbps. Perversely, MPEG-2 transfers are now faster than MP4, and program streams are the fastest of all (though not by much), turning everything on its head.

They also broke the transfer of many metadata items, even via real .TiVo files. Apart from all that, it doesn't seem much different (for pyTivo's purposes) from 14.9 -- same kinds of weirdness with transport streams, MP4 pulls still look like they're going to work but don't, etc.

__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

I don't know if this'll be useful to you for Tivo/pyTivo hacking or not, but thought I'd share on the off-chance it could be.http://mitmproxy.org/

Quote:

mitmproxy is an SSL-capable man-in-the-middle HTTP proxy. It provides a console interface that allows traffic flows to be inspected and edited on the fly.

mitmdump is the command-line version of mitmproxy, with the same functionality but without the frills. Think tcpdump for HTTP.

Intercept and modify HTTP traffic on the fly
Save HTTP conversations for later replay and analysis
Replay both HTTP clients and servers
Make scripted changes to HTTP traffic using Python
SSL interception certs generated on the fly

__________________
Follow @pytivo on Twitter for project updates and more! To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. | To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. A Web app for Roku Remote Control

I gave MITM a serious go over the weekend. Ultimately I was not able to decrypt SSL traffic as intended but I post in details the steps I took in the hopes to encourage others to give it a shot and perhaps find a way to get it working. I think I'm close but perhaps need a different tool for SSL stripping.

NOTE: One of the most important things I learned is it's not necessary to have a hub to monitor your network traffic, since ARP poisoning can take care of making sure you can see all your switched activity from your PC.

NOTE: I also don't have linux installed at home so I used a linux installation on a thumb drive (4GB thumb drive in my case). The nice thing about that approach is if you currently have only Windows or Mac you can just install and run everything from a thumb drive without interfering at all with your Windows or Mac installation. It's better if you have a more permanent linux installation to play with, but steps below don't require that.

STEP 1 - INSTALL LINUX ON A THUMB DRIVE
(You can use Ubuntu if you want, but that means some hacking tools missing you would have to install. Backtrack 5 has most of the hacking tools needed already installed)
a. Download Backtrack Linux iso file from:

STEP 2 - BOOT LINUX FROM THUMB DRIVE
a. Make sure thumb drive is in a USB slot and reboot/start your PC
b. During boot up go to your boot options screen. For my laptop running Windows I press Esc during bootup and then F9 to choose which device to boot from. Here I then choose the thumb drive

STEP 3 - GET LINUX UP AND RUNNING WITH NETWORKING ENABLED
a. At prompt type the following to start x-windows:startx
b. Start networking as follows:
Applications-Internet-Wicd Network Manager
- If you have wired network then simply choose connect on 1st entry.
- If you have wireless network then choose "Properties" and in "Key" field enter you WPA2 password under (or whichever protection you are using). Then click on "Connect".

b. Determine name of your network interface device.
If using wired this is "eth0"
If using wireless this is "wlan0"

STEP 6a - SETUP AND RUN THE MITM ATTACK USING ettercap
a. Start a new shell by clicking on the terminal icon to the right of System
b. Install ettercap:apt-get install ettercap
c. Edit the /etc/etter.conf file. I usually use "vi" as editor but you can use xedit graphical editor:xedit /etc/etter.conf
d. Scroll down to section entitled "Linux" and then uncomment (remove the leading #) from the following 2 entries under "# if you use iptables"
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
e. Click on Save and then Quit
f. Now we are ready to start ettercap (Use wlan0 or eth0 interface according to wireless or wired, and replace the IP names with your Premiere IPs):ettercap -Tqdi wlan0 -w etter.pcap -M arp:remote /192.168.10.196/ /192.168.10.199/
g. The traffic is now logged to etter.pcap file which can then be viewed using wireshark:wireshark etter.pcap
NOTE: Stop ettercap by pressing 'q' in the ettercap window.

c. arp poison traffic on your network so that it routes through your PC. Specifically I choose to poison my 2 Premieres:
1. Start a new shell by clicking on the terminal icon to the right of System
2. Execute following command in that shell (use eth0 if wired, wlan0 if wireless which is my case):arpspoof -i wlan0 -t 192.168.10.196 192.168.10.199
(Obviously substitute the 2 IPs above for whatever your 2 Premiere IPs are)

d. Start sslstrip monitoring port 8080 and logging to file strip.log:
1. Start a new shell by clicking on the terminal icon to the right of System
2. Execute following command in that shell:sslstrip -a -k -l 8080 -w strip.log
3. Now on your client Premiere browse to your other Premiere and push inside of show details of your host Premiere. That is enough to generate traffic on port 443 (without actually starting MRS).
4. If you want to monitor the strip.log file you can open another shell and execute the following:tail -f strip.log

NOTES:
- Ideally if this worked properly at this point strip.log would contain unencrypted traffic.
- You can use the following iptables command to actually check if any traffic is being port forwarded:iptables -t nat -L -v
(Even though for me this shows there is some traffic on port 443 sslstrip is not doing anything with it)
- Use Ctrl-C to stop arpspoof and/or ssltrip
- If instead of 443 I repeat the above with port 80 then I do see all the traffic using sslstrip (kind of interesting to see). In order to remove forwarding you simply use -D instead of -A in the iptables command. i.e. To remove the 443 forwarding:iptables -t nat -D PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 8080
Then to add port 80 forwarding instead use:iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

VIEWING TRAFFIC WITH WIRESHARK
After you setup the arpspoof poisoning you can actually start wireshark to monitor network traffic as follows:
1. From command prompt start wireshark:wireshark
2. Choose the appropriate network interface, in my case wlan0
3. Confirm there is a bunch of traffic generated between your 2 Premiere units when browsing remote Premiere and pushing inside of show details. Specifically you should look for SSLv3 and "Server Hello" which is the SSL handshaking that happens when you push into show details on remote Premiere.
4. NOTE: Click on the red 'x' to stop capturing network traffic.

In my case the arp poisoning is working fine since I can see all the traffic using wireshark. But unfortunately sslstrip is not doing what I expected which is to decrypt https traffic. I think this is probably because it was designed for web based ssl decryption (clients using web browsers) as opposed to SSL between 2 local LAN machines.

FINAL NOTE
If using Backtrack 5 thumb drive remember that because there is no perpetual file store defined as soon as you shutdown then any and all changes you made to the linux installation will be lost and need to be repeated. I made a script that does most of the above tasks for me so I don't have to repeat every time. I save the script as part of an email attachment so I can get to the script through Firefox while in Backtrack 5. i.e. A permanent linux install would be better if you have an available machine to do it or if you setup dual boot or VMWare instead.

Don't know how many Live USB installations this works for, but with a Fedora USB,
you can make the usb stick with an "overlay" storage (whatever that means :-), but
the upshot is that you actually get a modifiable USB installation so you can
add packages, etc and they will be there the next time you plug in a boot from
the USB.

Don't know how many Live USB installations this works for, but with a Fedora USB,
you can make the usb stick with an "overlay" storage (whatever that means :-), but
the upshot is that you actually get a modifiable USB installation so you can
add packages, etc and they will be there the next time you plug in a boot from
the USB.

Yes, for Ubuntu you can do that as well (define persistence space for a thumb drive installation that survives reboots). I actually started with and have another USB stick with persistent Ubuntu on it. It was just easier to summarize with Backtrack 5 because it required minimal amount of extra package installations to get going. Pretty much any recent linux installation should work though. Note also that if it was just ARP poisoning necessary then something like Cain & Abel on Windows works fine for that task. However I didn't find much in the way of transparent proxy + ssl decryption tools available for Windows so became clear pretty quickly Linux was way to go, plus for me I like command line tools better anyway so Linux was a better fit. Actually I'm open to anything that will just work at this point - don't really care if it's Windows or Linux.

As a side note doing sniffing on port 80 actually provides a lot of insight on how HME applications (for Showcases menus and in TiVo My Shows screen). With help of some DNS spoofing it may be possible to get your own HME applications showing up on My Shows screen which would be interesting, but I don't want to be side-tracked at the moment.

FYI I got ettercap running properly, but unfortunately it also doesn't seem to decrypt SSL properly for the TiVo communication either. I updated the instructions above indicating how to use ettercap which is actually simpler than arpspoof + sslstrip.

Interested novice here and certainly no security expert. Doesn't sslstrip present http to one side of the conversation? Is it possible that tivo(s) only accepts https (tls+http)?

Well in my example, theoretically because of my iptables rule all port 443 traffic is redirected to port 8080 which sslstrip is then processing and passing off to the actual destination. The traffic is reaching my Premiere so it looks like sslstrip is just leaving everything alone and just passing traffic through. If it were actually downgrading to http as it's supposed to and the destination TiVo didn't like that then there would be a handshaking failure and I wouldn't be able to get to show details on the host TiVo. I think part of the complication here is that the host TiVo is using port 443 (192.168.10.196 in my example) while the client TiVo is using a different port (not a specific port but varies with each attempt).

Quote:

I'm guessing a sucessful trace will involve spoofing a cert and then feeding that cert into wireshark to decrypt the data stream.
Cheering you on from the sideline.

Well the problem is we don't have the TiVo certificate which is needed for this and if TiVo won't accept fake certificates then none of these MITM attacks are going to work from my limited understanding.

As an example I tried using similar techniques to see if I could sniff out my login and password for mail.yahoo.com but yahoo is smart enough to recognize it's being compromised and login wouldn't work while I had port redirection turned on.

Well in my example, theoretically because of my iptables rule all port 443 traffic is redirected to port 8080 which sslstrip is then processing and passing off to the actual destination. The traffic is reaching my Premiere so it looks like sslstrip is just leaving everything alone and just passing traffic through. If it were actually downgrading to http as it's supposed to and the destination TiVo didn't like that then there would be a handshaking failure and I wouldn't be able to get to show details on the host TiVo. I think part of the complication here is that the host TiVo is using port 443 (192.168.10.196 in my example) while the client TiVo is using a different port (not a specific port but varies with each attempt).

Well the problem is we don't have the TiVo certificate which is needed for this and if TiVo won't accept fake certificates then none of these MITM attacks are going to work from my limited understanding.

As an example I tried using similar techniques to see if I could sniff out my login and password for mail.yahoo.com but yahoo is smart enough to recognize it's being compromised and login wouldn't work while I had port redirection turned on.

I tried playing around with cain & abel and a self-signed cert generated by the program. Tivo wouldn't take it and then I was quickly over the my head.